Location, Location, Location

Q&A with Norman Sadeh on How Technology Affects Your Privacy

The U.S. Supreme Court is reviewing a case, U.S. v. Jones, that raises important questions about the government's use of GPS technology to monitor the movements of people. In this case, the government argues that it was not required to obtain a warrant before using GPS to track a suspected drug dealer.

But Professor Norman Sadeh, along with other technology experts, has filed an amicus brief, contending that this warrantless use of GPS violates the Fourth Amendment. Sadeh, director of CMU's Mobile Commerce Laboratory and co-director of the School of Computer Science's Ph.D. Program in Computation, Organizations and Society, talked to the Piper about the ways GPS tracking is more invasive than other surveillance technologies that have been legally used without warrants.

GPS is commonplace today in our cars, smartphones and other devices. Why should this not be a routine tool available to law enforcement?

The issue we are talking about is whether it should be available to law enforcement without any warrant. It amounts to saying the police can decide whether they would want to put the GPS unit under a car without the knowledge of the owner of that car or without authorization from a judge.

If you look at the cost of this technology and its progress, and if you take it to the extreme, you could have a GPS unit under every car and police could start tracking us at any point in time.

How does GPS differ from other technologies that law enforcement has used in the past without warrants?

For a long time police have been able to tail suspects and decide if they were seeing something that warranted more investigation. In the '70s, they started relying more on technology that made it possible to potentially tail people from as far as a mile or two.

With GPS, we are looking at the opportunity to scale. You don't need to follow the car anymore, you can just install as many units as you want and have all this information imported back to your computer.

You also have the ability to store this data in a format that can be easily analyzed across large numbers of people and to recoup information with data
mining that would enable you to uncover all sorts of things beyond what could be done with the old technologies.

Do police routinely get warrants for this sort of GPS use?

It's clear that the police have requested warrants to track vehicles, and they have done that selectively.

In this particular case, what's so interesting is that the police did obtain a warrant. That warrant expired at the time they installed the device. When they tried to use the evidence that they had collected, it was noticed that the warrant had expired. Under the Fourth Amendment, without a proper warrant, one would expect the evidence to then be excluded.

The police claimed however that they don't really need a warrant to use this device, which is really an interesting contradiction, given that they had requested one.

If the Supreme Court determines they don't need a warrant, then we are looking at the prospect of potentially all of us having GPS units under our car without our knowledge. Data mining is extremely powerful. Research at Carnegie Mellon has shown how much you can infer by looking at someone's whereabouts.

What can you infer?

If you look at individuals' whereabouts, you can infer which church they are going to, what ailments they might have based on the hospitals they visit, whether they are potentially cheating on their spouse — a lot of very sensitive information.

Someone's location is very much considered personally identifiable information, and it's been identified as sensitive for a very, very long time. What's more interesting is that when you start using location information across populations of people, you can identify social relationships between people. Not too long ago, we published a paper showing that we could do this with a very high level of accuracy.

Many of us carry around GPS units with our phones. If people are able to tap into that sort of information, what might they learn?

Quite a lot. And this is not hypothetical.

About six months ago, an incident that made headlines was that Apple had been collecting location information from people with iPhones. Collecting the information was in line with their recently changed privacy policy. But what was unacceptable was this data was unencrypted on the cell phone. That meant that essentially anyone who had knowledge of that file on the phone would be able to access it. That included anyone interested in exploiting this information potentially with malicious intent. Think jealous husbands, paranoid employers or criminals.

A very fundamental notion when it comes to information privacy is that obviously information has to at least be secure.

When you look at the technologies available today, for instance on our cell phones, it's clear that organizations are collecting this information. New mobile application development environments such as those offered by Android and Apple have resulted in the launch of tens of thousands of mobile apps that access our location. It's something that people don't fully realize. Until recently "Angry Bird" was requesting your location! This information is then often shared with advertising networks. We've been conducting interviews with people to understand to what extent they were aware of collection practices and to see how they felt about it. People tend to express surprise.

Do we need better laws, regulation or understanding of the problem?

A fundamental principle of information privacy is that data subjects should have adequate control over the information collected about them. The fact that people are expressing surprise about the information collected about them strongly suggests that current practices and interfaces are inadequate.

There's an ongoing debate about whether industry can self-regulate or whether the government has to step in. There are various proposals under consideration in Congress and elsewhere specifically on location privacy. This is really one of those areas where privacy has significantly eroded over the past three years.

Three years ago, there were very few apps using your location. The advent of the AppStore and the Android Marketplace have made it very easy today for application developers — who don't necessarily need it — to start collecting location information. For them, the appeal is location-based advertising, the ability to make more money by having access to your location.

People are giving away location information left and right — without their knowledge — and what that means from a commercial standpoint is that all kinds of things could happen that consumers may not expect.

From a government perspective, it means all of this data is stored somewhere, and nothing prevents government from subpoenaing it. Again, that's not something that people fully realize.